porkadot 0.23.0 → 0.25.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (48) hide show
  1. checksums.yaml +4 -4
  2. data/hack/metallb/crds/kustomization.yaml +5 -0
  3. data/hack/metallb/exclude-l2-config.yaml +8 -0
  4. data/hack/metallb/kustomization.yaml +10 -0
  5. data/hack/update-kubelet-cert-approver.sh +6 -0
  6. data/hack/update-metallb.sh +7 -0
  7. data/lib/porkadot/assets/bootstrap/manifests/kube-apiserver.bootstrap.yaml.erb +1 -1
  8. data/lib/porkadot/assets/etcd/etcd-server.yaml.erb +17 -9
  9. data/lib/porkadot/assets/etcd/etcd.env.erb +4 -0
  10. data/lib/porkadot/assets/etcd/install.sh.erb +1 -0
  11. data/lib/porkadot/assets/etcd.rb +1 -0
  12. data/lib/porkadot/assets/kubelet/config.yaml.erb +1 -39
  13. data/lib/porkadot/assets/kubelet/initiatorname.iscsi.erb +1 -0
  14. data/lib/porkadot/assets/kubelet/kubelet.service.erb +2 -6
  15. data/lib/porkadot/assets/kubelet/metadata.json.erb +5 -0
  16. data/lib/porkadot/assets/{kubelet → kubelet-default}/install-deps.sh.erb +3 -1
  17. data/lib/porkadot/assets/{kubelet → kubelet-default}/install-pkgs.sh.erb +1 -3
  18. data/lib/porkadot/assets/kubelet-default/install.sh.erb +22 -7
  19. data/lib/porkadot/assets/kubelet-default/setup-containerd.sh.erb +22 -0
  20. data/lib/porkadot/assets/kubelet-default/setup-node.sh.erb +16 -0
  21. data/lib/porkadot/assets/kubelet.rb +14 -12
  22. data/lib/porkadot/assets/kubernetes/install.sh.erb +3 -1
  23. data/lib/porkadot/assets/kubernetes/manifests/addons/coredns/coredns.yaml.erb +1 -1
  24. data/lib/porkadot/assets/kubernetes/manifests/addons/coredns/dns-horizontal-autoscaler.yaml.erb +1 -1
  25. data/lib/porkadot/assets/kubernetes/manifests/addons/flannel/flannel.yaml.erb +12 -51
  26. data/lib/porkadot/assets/kubernetes/manifests/addons/kubelet-serving-cert-approver/kustomization.yaml.erb +3 -0
  27. data/lib/porkadot/assets/kubernetes/manifests/addons/kubelet-serving-cert-approver/src.yaml.erb +210 -0
  28. data/lib/porkadot/assets/kubernetes/manifests/addons/metallb/000-metallb.yaml.erb +3 -1
  29. data/lib/porkadot/assets/kubernetes/manifests/addons/metallb/crds.yaml +1272 -0
  30. data/lib/porkadot/assets/kubernetes/manifests/addons/metallb/metallb.config.yaml.erb +1 -12
  31. data/lib/porkadot/assets/kubernetes/manifests/addons/metallb/metallb.yaml.erb +507 -252
  32. data/lib/porkadot/assets/kubernetes/manifests/kube-apiserver.yaml.erb +4 -1
  33. data/lib/porkadot/assets/kubernetes/manifests/kube-controller-manager.yaml.erb +3 -0
  34. data/lib/porkadot/assets/kubernetes/manifests/kube-scheduler.yaml.erb +3 -1
  35. data/lib/porkadot/assets/kubernetes.rb +22 -1
  36. data/lib/porkadot/config.rb +1 -1
  37. data/lib/porkadot/configs/addons.rb +4 -0
  38. data/lib/porkadot/configs/etcd.rb +9 -0
  39. data/lib/porkadot/configs/kubelet.rb +25 -7
  40. data/lib/porkadot/default.yaml +17 -15
  41. data/lib/porkadot/install/bootstrap.rb +1 -1
  42. data/lib/porkadot/install/kubelet.rb +24 -40
  43. data/lib/porkadot/version.rb +1 -1
  44. data/lib/porkadot.rb +1 -0
  45. metadata +17 -7
  46. data/lib/porkadot/assets/kubelet/install.sh.erb +0 -35
  47. data/lib/porkadot/assets/kubelet/setup-containerd.sh.erb +0 -17
  48. data/lib/porkadot/assets/kubernetes/manifests/addons/metallb/metallb.yaml +0 -480
data/lib/porkadot/assets/kubernetes/manifests/addons/kubelet-serving-cert-approver/src.yaml.erb ADDED
@@ -0,0 +1,210 @@
1
+ apiVersion: v1
2
+ kind: Namespace
3
+ metadata:
4
+ labels:
5
+ app.kubernetes.io/instance: kubelet-serving-cert-approver
6
+ app.kubernetes.io/name: kubelet-serving-cert-approver
7
+ pod-security.kubernetes.io/audit: restricted
8
+ pod-security.kubernetes.io/enforce: restricted
9
+ pod-security.kubernetes.io/warn: restricted
10
+ name: kubelet-serving-cert-approver
11
+ ---
12
+ apiVersion: v1
13
+ kind: ServiceAccount
14
+ metadata:
15
+ labels:
16
+ app.kubernetes.io/instance: kubelet-serving-cert-approver
17
+ app.kubernetes.io/name: kubelet-serving-cert-approver
18
+ name: kubelet-serving-cert-approver
19
+ namespace: kubelet-serving-cert-approver
20
+ ---
21
+ apiVersion: rbac.authorization.k8s.io/v1
22
+ kind: ClusterRole
23
+ metadata:
24
+ labels:
25
+ app.kubernetes.io/instance: kubelet-serving-cert-approver
26
+ app.kubernetes.io/name: kubelet-serving-cert-approver
27
+ name: certificates:kubelet-serving-cert-approver
28
+ rules:
29
+ - apiGroups:
30
+ - certificates.k8s.io
31
+ resources:
32
+ - certificatesigningrequests
33
+ verbs:
34
+ - get
35
+ - list
36
+ - watch
37
+ - apiGroups:
38
+ - certificates.k8s.io
39
+ resources:
40
+ - certificatesigningrequests/approval
41
+ verbs:
42
+ - update
43
+ - apiGroups:
44
+ - authorization.k8s.io
45
+ resources:
46
+ - subjectaccessreviews
47
+ verbs:
48
+ - create
49
+ - apiGroups:
50
+ - certificates.k8s.io
51
+ resourceNames:
52
+ - kubernetes.io/kubelet-serving
53
+ resources:
54
+ - signers
55
+ verbs:
56
+ - approve
57
+ ---
58
+ apiVersion: rbac.authorization.k8s.io/v1
59
+ kind: ClusterRole
60
+ metadata:
61
+ labels:
62
+ app.kubernetes.io/instance: kubelet-serving-cert-approver
63
+ app.kubernetes.io/name: kubelet-serving-cert-approver
64
+ name: events:kubelet-serving-cert-approver
65
+ rules:
66
+ - apiGroups:
67
+ - ""
68
+ resources:
69
+ - events
70
+ verbs:
71
+ - create
72
+ - patch
73
+ ---
74
+ apiVersion: rbac.authorization.k8s.io/v1
75
+ kind: RoleBinding
76
+ metadata:
77
+ labels:
78
+ app.kubernetes.io/instance: kubelet-serving-cert-approver
79
+ app.kubernetes.io/name: kubelet-serving-cert-approver
80
+ name: events:kubelet-serving-cert-approver
81
+ namespace: default
82
+ roleRef:
83
+ apiGroup: rbac.authorization.k8s.io
84
+ kind: ClusterRole
85
+ name: events:kubelet-serving-cert-approver
86
+ subjects:
87
+ - kind: ServiceAccount
88
+ name: kubelet-serving-cert-approver
89
+ namespace: kubelet-serving-cert-approver
90
+ ---
91
+ apiVersion: rbac.authorization.k8s.io/v1
92
+ kind: ClusterRoleBinding
93
+ metadata:
94
+ labels:
95
+ app.kubernetes.io/instance: kubelet-serving-cert-approver
96
+ app.kubernetes.io/name: kubelet-serving-cert-approver
97
+ name: kubelet-serving-cert-approver
98
+ roleRef:
99
+ apiGroup: rbac.authorization.k8s.io
100
+ kind: ClusterRole
101
+ name: certificates:kubelet-serving-cert-approver
102
+ subjects:
103
+ - kind: ServiceAccount
104
+ name: kubelet-serving-cert-approver
105
+ namespace: kubelet-serving-cert-approver
106
+ ---
107
+ apiVersion: v1
108
+ kind: Service
109
+ metadata:
110
+ labels:
111
+ app.kubernetes.io/instance: kubelet-serving-cert-approver
112
+ app.kubernetes.io/name: kubelet-serving-cert-approver
113
+ name: kubelet-serving-cert-approver
114
+ namespace: kubelet-serving-cert-approver
115
+ spec:
116
+ ports:
117
+ - name: metrics
118
+ port: 9090
119
+ protocol: TCP
120
+ targetPort: metrics
121
+ selector:
122
+ app.kubernetes.io/instance: kubelet-serving-cert-approver
123
+ app.kubernetes.io/name: kubelet-serving-cert-approver
124
+ ---
125
+ apiVersion: apps/v1
126
+ kind: Deployment
127
+ metadata:
128
+ labels:
129
+ app.kubernetes.io/instance: kubelet-serving-cert-approver
130
+ app.kubernetes.io/name: kubelet-serving-cert-approver
131
+ name: kubelet-serving-cert-approver
132
+ namespace: kubelet-serving-cert-approver
133
+ spec:
134
+ replicas: 1
135
+ selector:
136
+ matchLabels:
137
+ app.kubernetes.io/instance: kubelet-serving-cert-approver
138
+ app.kubernetes.io/name: kubelet-serving-cert-approver
139
+ template:
140
+ metadata:
141
+ labels:
142
+ app.kubernetes.io/instance: kubelet-serving-cert-approver
143
+ app.kubernetes.io/name: kubelet-serving-cert-approver
144
+ spec:
145
+ affinity:
146
+ nodeAffinity:
147
+ preferredDuringSchedulingIgnoredDuringExecution:
148
+ - preference:
149
+ matchExpressions:
150
+ - key: node-role.kubernetes.io/master
151
+ operator: DoesNotExist
152
+ - key: node-role.kubernetes.io/control-plane
153
+ operator: DoesNotExist
154
+ weight: 100
155
+ containers:
156
+ - args:
157
+ - serve
158
+ env:
159
+ - name: NAMESPACE
160
+ valueFrom:
161
+ fieldRef:
162
+ fieldPath: metadata.namespace
163
+ image: ghcr.io/alex1989hu/kubelet-serving-cert-approver:main
164
+ imagePullPolicy: Always
165
+ livenessProbe:
166
+ httpGet:
167
+ path: /healthz
168
+ port: health
169
+ initialDelaySeconds: 6
170
+ name: cert-approver
171
+ ports:
172
+ - containerPort: 8080
173
+ name: health
174
+ - containerPort: 9090
175
+ name: metrics
176
+ readinessProbe:
177
+ httpGet:
178
+ path: /readyz
179
+ port: health
180
+ initialDelaySeconds: 3
181
+ resources:
182
+ limits:
183
+ cpu: 250m
184
+ memory: 32Mi
185
+ requests:
186
+ cpu: 10m
187
+ memory: 16Mi
188
+ securityContext:
189
+ allowPrivilegeEscalation: false
190
+ capabilities:
191
+ drop:
192
+ - ALL
193
+ privileged: false
194
+ readOnlyRootFilesystem: true
195
+ runAsNonRoot: true
196
+ priorityClassName: system-cluster-critical
197
+ securityContext:
198
+ fsGroup: 65534
199
+ runAsGroup: 65534
200
+ runAsUser: 65534
201
+ seccompProfile:
202
+ type: RuntimeDefault
203
+ serviceAccountName: kubelet-serving-cert-approver
204
+ tolerations:
205
+ - effect: NoSchedule
206
+ key: node-role.kubernetes.io/master
207
+ operator: Exists
208
+ - effect: NoSchedule
209
+ key: node-role.kubernetes.io/control-plane
210
+ operator: Exists
data/lib/porkadot/assets/kubernetes/manifests/addons/metallb/000-metallb.yaml.erb CHANGED
@@ -3,5 +3,7 @@ kind: Namespace
3
3
  metadata:
4
4
  labels:
5
5
  app: metallb
6
+ pod-security.kubernetes.io/enforce: privileged
7
+ pod-security.kubernetes.io/audit: privileged
8
+ pod-security.kubernetes.io/warn: privileged
6
9
  name: metallb-system
7
-